The evolution of cybersecurity practices took a significant leap forward with Cisco Live 2025’s introduction of a Security Operations Center (SOC) at its San Diego event. This marked a transformative moment in cybersecurity education and network protection strategies. Building on the momentum from Cisco Live Melbourne’s successful SOC deployment last year, the initiative in San Diego was designed with clear objectives: robust network protection against increasingly sophisticated threats, enlightening attendees through curated tours and resource sharing, and pioneering novel integrations and processes to enhance SOC operations. By integrating various advanced technologies and leveraging prior initiatives like RSAC Conference experiences, Cisco Live 2025 exemplified the convergence of security and education in real-time scenarios. The collaboration with the Network Operations Center (NOC) was a foundational aspect, resulting in a synchronized operation that ensured the seamless function of network infrastructure and security mechanisms throughout the conference.
Integrated Solutions and Collaborative Efforts
One of the most distinct features of Cisco Live 2025’s SOC was the establishment of a ‘SOC in a Box’, a refined, ready-to-deploy solution born from years of expertise. This portable unit contained all requisite hardware for integration with the NOC, Splunk Enterprise Security, and Cisco Security Cloud, offering a comprehensive toolkit for on-the-spot network safeguarding. Highly skilled engineers with experience from RSAC conferences joined forces in San Diego alongside adept remote support teams, ensuring the SOC was armed with the finest expertise. The strategic collaboration broadened its reach to include notoriously challenging networks such as Black Hat, known for their high hostility levels, amplifying the SOC’s capability to handle complex threats. Partnerships, especially with Endace, a distinguished name in full-packet capture technology, played a crucial role by elevating packet capturing and analysis capabilities, thereby enhancing network security measures. This collaboration proved significant in addressing security challenges, contributing to a more fortified network environment through meticulous packet capturing and detailed traffic analysis.
Comprehensive Security Architecture
To achieve a robust security framework, the SOC’s architecture integrated multiple components and platforms effectively. The SOC in a Box was harmoniously combined with Secure Access virtual appliances for precise Domain Name Service management and a Switched Port Analyzer to scrutinize network traffic diligently. An essential element was the EndaceProbe packet capture platform, which facilitated comprehensive investigations into any detected anomalies. By archiving all network traffic and compiling metadata, such as Zeek logs, into the Splunk Enterprise Security Platform, the SOC ensured an exhaustive security analysis took place. The architecture also included filtering and streaming of reconstructed file content for detailed scrutiny through Splunk Attack Analyzer and Secure Malware Analytics, further amplifying the overall security protocol. Streamlined access was ensured with Duo Central’s Single Sign-On, easing access to both on-premises and cloud-based tools. This was vital in a compact setup, bolstered by innovations such as the Extended Detection and Response (XDR) and Splunk Cloud for minimizing workload through pre-configured data and dashboards, showcasing Cisco Live’s commitment to both advanced security measures and educational outreach.
Event Outcomes and Insights
The execution of Cisco Live’s SOC was substantiated by impressive statistics illustrating its efficacy and reach. With over 22,000 attendees, the conference captured a remarkable 99.5 billion packets using Endace technology. Splunk recorded an impressive 4.5 billion logs, while total network sessions soared to 1.49 billion, with unique device connectivity peaking at 37,052. The endeavor resulted in 78.9 terabytes of packet data written to disk and 1.99 terabytes of logs uploaded to the cloud, showcasing the sheer capacity and thoroughness of Cisco’s security architecture. Peak bandwidth utilization reached 4.85 Gbps, reflecting efficient network management amidst high activity levels. Furthermore, DNS requests totaled 261.3 million, with 28.3K requests blocked, signifying advanced threat prevention measures. Notable findings included the detection of devices utilizing clear text usernames and passwords, with 2,256 clear instances from 97 unique devices/accounts. A substantial volume of files, approximately 740,172, underwent malware analysis, underscoring the in-depth security assessment and threat detection capabilities implemented during the event.
Reflections and Key Contributions
Reflections on the diverse experiences of engineers operating within the SOC offered valuable insights into the lessons garnered from this deployment. From exploring techniques such as detecting cleartext passwords in HTTP POST requests to applying AI in countering phishing campaigns, the dedication to adapting cutting-edge strategies was evident. Engineers shared case studies on building Extended Detection and Response integrations with the Splunk Attack Analyzer, emphasizing how real-time challenges were addressed innovatively. Network forensics exemplified by Endace collaboration further highlighted the analytical prowess and strategic thinking employed throughout the SOC operation in San Diego. Key acknowledgments indicated the contributions of major personnel whose efforts were vital to the SOC’s success. Coordinated teamwork among the Network Operations Center liaisons, Cisco Security, Splunk SOC Team, and Endace SOC Team was central to achieving enhanced security and educational outreach for Cisco Live attendees.
The Road Ahead for Cybersecurity and Education
Cisco Live 2025 made a significant advancement in cybersecurity practices by unveiling a Security Operations Center (SOC) at their San Diego event, marking a pivotal moment in both cybersecurity education and network defense strategies. This accomplishment follows the success of the SOC introduction at Cisco Live Melbourne previously, creating anticipation and setting a high standard for the event in San Diego. The key aims of this initiative included securing the network from increasingly sophisticated threats, enlightening participants through structured tours and shared resources, and exploring innovative integrations to enhance SOC functions. By incorporating various advanced technologies and building on experiences from events like the RSAC Conference, Cisco Live 2025 highlighted the synthesis of security and learning in dynamic, real-world scenarios. A crucial element was the collaboration with the Network Operations Center (NOC), leading to a harmonious operation that guaranteed the smooth functioning of the network infrastructure as well as the security systems throughout the event.
